Microsoft Patches Critical Windows Me Flaw

Buffer overruns are detected in Microsoft's Windows Me
Help and Support Center.

Microsoft has appended a
'critical' rating to a security patch issued for
buffer overflows in its Windows Me Help and Support
Center.

The Help and Support Center, which gives users a
centralized facility to get assistance on a variety of topics,
contains an unchecked buffer in the way it handles the
hcp:// prefix in a URL link.

Microsoft warned that an attacker could dupe a user
into clicking on the URL and then executing harmful
code. The attack scenarios could be Web-based and via
e-mail, the company warned.

It said the patch (available for download
here), should be installed immediately to avoid a
Web-based attack scenario where a vulnerable system
would allow an attacker to read or launch files
already present on the local machine.

In the case of an e-mail borne attack, if a users
was not using Outlook Express 6.0 or Outlook 2002 as
the default e-mail client, Microsoft said the attack
could be triggered automatically without the user
having to click on a URL contained in an e-mail.

The Windows Me Help Center provides product
documentation and hardware compatibility assistance to
Microsoft customers. It also gives users access to the
Windows Update and online support from Microsoft.